CVE-2019-17556 – org.apache.olingo:odata-client-proxy

Package

Manager: maven
Name: org.apache.olingo:odata-client-proxy
Vulnerable Version: >=4.0.0 <4.7.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00782 pctl0.72848

Details

Deserialization of Untrusted Data in Apache Olingo Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Metadata

Created: 2020-02-04T22:38:22Z
Modified: 2021-08-19T16:54:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-gj76-429m-56wc/GHSA-gj76-429m-56wc.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-gj76-429m-56wc
Finding: F096
Auto approve: 1